You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@trafficserver.apache.org by Brian Neradt <br...@gmail.com> on 2023/02/01 20:40:39 UTC
Suggestion for New tunnel_route Port Specification Features
dev@trafficserver.apache.org:
There are situations in which an origin needs to be connected to on the
same port that the client connected to ATS on. Consider the following
configuration:
client -> ats1 -> ats2 -> server
The `client` connects to `ats1` on one of a number of possible ports over a
non-contiguous port range, and the application running on `server` needed
`ats2` to connect to it on the same port that `ats1` was connected to. I
suggest we provide a solution for this via the Proxy Protocol feature:
https://docs.trafficserver.apache.org/admin-guide/configuration/proxy-protocol.en.html#proxy-protocol
Using this, `ats1` communicates the port that `client` connected to it upon
via Proxy Protocol to `ats2`. It is then pretty straightforward to tweak
the tunnel_route sni.yaml configuration to be able to specify that it
should use the port specified in the Proxy Protocol payload.
From a configuration standpoint, I suggest we add support for the user to
specify the destination Proxy Protocol port as the string literal
{proxy_protocol_port} for the host designated in the tunnel_route. With
that specification, ATS will connect to the server on whatever the
destination port was in the Proxy Protocol string on the inbound
connection. Here's an example sni.yaml configuration:
sni:- fqdn: tunnel-pp.example.com tunnel_route:
my.backend.example.com:{proxy_protocol_port}
In this case, if the client side connection contains tunnel-pp.example.com
as the SNI in the CLIENT_HELLO handshake, then ATS will connect to
my.backend.example.com on whatever destination port was specified in the
client-side Proxy Protocol for the initiating connection.
Related to this, it is also easy to add support for {inbound_local_port} in
which ATS will connect to the origin server on whatever the destination
port was of the inbound (client-side) connection. Adding
{inbound_local_port} simplifies the solution for when there is only a
single ATS between the client and server.
I've created a draft PR with a possible patch, including updated
documentation and some autests, here:
https://github.com/apache/trafficserver/pull/9358
The rendered sni.yaml doc changes can be viewed here:
https://ci.trafficserver.apache.org/job/Github_Builds/job/docs/741/artifact/output/9358/docbuild/html/admin-guide/files/sni.yaml.en.html#std-configfile-sni.yaml
Please provide any feedback or concerns you may have.
Thanks!
Brian
--
"Come to Me, all who are weary and heavy-laden, and I will
give you rest. Take My yoke upon you and learn from Me, for
I am gentle and humble in heart, and you will find rest for
your souls. For My yoke is easy and My burden is light."
~ Matthew 11:28-30